At 11pm UK time on the 31st December 2020 the transition period for the UK leaving the EU ended. The ‘Brexit Deal’ was struck and detailed in the ‘UK/EU trade cooperation agreement’.
Changes to data protection and privacy
Emeritus College Fellow Steve Bax explains the key things you need to be aware of:
1. There is a new data protection regime that we need to follow. The GDPR is retained in domestic law now the transition period has ended, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. (Source: Information Commissioner’s Office – ico) This means that we need comply with the following:
- DPA 2018 – amended version
- EUGDPR - if marketing to data subjects in the EU
- PECR – The Privacy and Electronic Communications (EC Directive) Regulations 2003
2. The ‘Brexit Deal’ provides an interim data transfer window of up to six months. This means that in the absence of ‘adequacy’ being granted yet for the UK, the free flow of data without safeguards can continue from the EU/ EEA to the UK. There are conditions that need to be met by the UK to keep this open. Hopefully, during this period the European Commission will grant the UK an adequacy decision.
3. The UK and EU have both made a commitment to ensuring that direct marketing communications are not sent to individuals without their consent although ‘soft opt-in’ can still be relied upon.
4. There is also an undertaking that both parties will cooperate on data protection issues so there will hopefully continue to be close involvement of the ico with the EC, European Data Protection Board (EPDB) and EU supervisory authorities going forward. Again, this may help to secure an adequacy decision for the UK which would be positive for all UK organisations marketing in EU/EEA countries.
Areas to check for important updates
1. First and foremost, where is any personal data being stored/ processed? It is vital that you know this.
2. What you have in place for data transfers? Transfers to non EEA countries especially the US.) Think about the less obvious ones too such as: WeTransfer; GoToMeeting; monday.com etc... What safeguards are in place? These might be:
- Standard Contractual Clauses (SCCs) – if these are drafted by the receiver, have you signed them?
- Transfers Impact Assessments. The ico suggests use of these in addition to SCCs - for the US in particular.
- Binding Corporate Rules
- Other derogations – these might be consent or performance of a contract. Check that these are sufficiently robust and that they meet the requirements of the relevant data protection laws.
- Data Sharing Agreements. Make sure that these are in place and up to date in terms of laws to be complied with.
3. That you have Data Processing Agreements in place with any organisations undertaking processing or sub-processing on your behalf. These might be mailing houses, for example.
4. Do you have an EU representative? If your organisation has no base inside the EEA and you are marketing to individuals in one or more of these countries, the EU GDPR requires you to appoint one.
5. Are your Privacy Policies up to date? Aside from updating the laws that they reflect, it is an ideal opportunity to check that they include any changes that have happened since you last updated them. Also, check that the various policies you have and other documentation are consistent. It is easy to build a library of data protection documentation without cross referencing previous iterations.
6. An overall review of all personal data flows and the measures in place to protect these is well worth doing right now.
More information and advice
The ICO website is a mine of information.
Steve Bax did an interview for the College's Podcast which gives more information.